In the high-stakes world of corporate cybersecurity, chief information security officers are grappling with unprecedented pressures. A staggering 58% of CISOs believe their organizations are unprepared to respond to a cyberattack, according to CSO Online . This figure, drawn from Proofpoint’s 2025 Voice of the CISO Report surveying 1,600 leaders across 16 countries, underscores a deepening anxiety: 76% now feel at risk of a material cyberattack in the next 12 months, up from 70% the prior year.
The strain is palpable. Nagomi Security’s 2025 CISO Pressure Index reveals 80% of CISOs under high or extreme pressure, with 87% noting an increase over the past year and 67% experiencing weekly or daily burnout. As threats evolve—fueled by AI proliferation and geopolitical tensions—CISOs face structural barriers that hobble their defenses.
Recent reports amplify the urgency. PwC’s 2026 Global Digital Trust Insights highlights how executives rank cyber risk among top strategic priorities amid uncertainty, while SecurityWeek warns of persistent skills gaps, especially in AI, persisting into 2026 and beyond.
Overwhelmed Teams and Prioritization Paralysis
The first major issue: failure to train and empower teams. Omar Khawaja, who leads Databricks’ field security practice and teaches at Carnegie Mellon University’s CISO program, observes, “Every CISO feels very overwhelmed.” Security teams drown in tasks, forcing CISOs to micromanage priorities, which slows response times and exacerbates burnout.
Khawaja advises clear mechanisms: “There should be criteria or factors that says it’s high, medium, low priority for anything delivered by the security team, because then any team member can look at any request that comes to them and they can confidently and effectively prioritize it.” Without this, executives remain bottlenecked, as noted in the CSO Online analysis.
AI’s Double-Edged Surge
CISOs lag behind business AI adoption. Robert T. Lee, chief AI officer at SANS, states, “Most CISOs are wrestling with how to secure AI,” adding, “There is a general lack of knowledge on how to approach AI.” Cyera’s 2025 State of AI Data Security Report shows 83% of organizations use AI, but only 13% have strong visibility into sensitive data handling, 16% treat AI as a distinct identity, 11% can block risky activity automatically, and just 7% have dedicated governance teams.
This “Security Framework of No” stifles innovation, breeding shadow AI. Lee urges a holistic approach: establish data risk profiles, prioritize high-risk areas, and train teams on AI security. Meanwhile, ISC2’s 2025 Cybersecurity Workforce Study finds only 28% of enterprise leaders have integrated AI into security operations, though 63% report productivity boosts where adopted.
Jon France, CISO of ISC2, notes, “CISOs are playing a bit of catch-up” in deploying AI at business speed. Expectations point to network monitoring (40%), security operations, testing (30% each), vulnerability management (29%), and threat modeling or endpoint protection (28% each) for biggest impacts.
Talent Drought Deepens Cracks
Skills shortages plague progress. Accenture’s 2025 State of Cybersecurity Resilience reports 83% of IT executives see cyber talent gaps as major obstacles. ISC2 data shows 63% with slight or significant shortages (down modestly from 68% in 2024), but critical needs rose: 59% (up from 44%), with 95% facing at least one gap. Top demands: AI (41%), cloud security (36%), risk assessment (29%), app security (28%), security engineering and governance (27%), risk/compliance (27%).
France emphasizes, “We need people who are suitable to discharge the duties of security roles today.” Khawaja highlights “middle skills” like risk and change management: “If you don’t have those middle skills, there’s only so far the security team can go.” Fortinet’s CISO Collective echoes this, noting the skills gap as a top concern for three years running.
2026 Priorities Reshape the Battleground
Looking ahead, CSO Online lists CISOs’ top 2026 focuses: defending AI-enabled attacks, securing AI deployments, advancing AI in operations, bolstering third-party risk amid outages like AWS and Cloudflare in 2025, and cyber resilience beyond IT recovery—encompassing legal, PR, disclosures, and suppliers, per Gartner.
Google Cloud’s 2026 forecast predicts shadow AI escalating to “Shadow Agent” challenges. Cyble stresses machine-speed defenses against 2025 lessons in supply-chain breaches, urging SBOM validation, zero-trust integrations, and leadership wellness amid fatigue.
Wiz’s 2026 CISO Budget Benchmark reveals 85% increased budgets last year, 90% expect growth, but half say cloud complexity and tool sprawl (58% run 25+ tools) hinder programs. Boards prioritize business valuation post-attack, per Proofpoint, yet alignment dipped to 64% from 84%.
Regulatory and Geopolitical Pressures Mount
Personal liability looms large. SecurityWeek cites SEC dropping SolarWinds litigation in 2025, but warns, “In 2026, the biggest cyber risk won’t just be ransomware… it will be the personal liability imposed on CISOs.” Compliance doesn’t equal security, with regulators pushing individual accountability.
PwC notes 60% rank cyber investment top-three amid geopolitics. CSO Online cautions against overlooking supply chains: Jaguar Land Rover’s 2025 attack cost $2.5 billion, rippling to suppliers. Greg Zelo, CTO of AMFT, warns, “CISOs who overlook cybersecurity in complex supply chains… risk catastrophic consequences.”
World Economic Forum’s Global Cybersecurity Outlook 2026 shifts CEO concerns to cyber fraud/phishing and AI vulnerabilities, while CISOs fixate on ransomware and supply disruptions. Gartner urges resilience encompassing more than recovery.
Pathways to Empowerment
CISOs must evolve. IANS Research’s 2026 State of the CISO shows 46% at executive level, but 54% say scope unmanageable, 69% open to moves. Wiz pushes efficiency amid rising spend. Evanta’s Gartner communities highlight resilience, cyber intelligence, and supply-chain security.
Success demands delegation, AI governance, talent strategies, and business alignment. As Khawaja puts it, empower teams to focus “on the most important stuff.” In 2026, resilient CISOs will turn pressures into strategic advantage.
Leave a Reply
Your email address will not be published.